The IBM i Audit Journal is a treasure trove of security data. It records thousands of events that reveal what’s happening on your system — from failed logins to changes in user authorities. The challenge is not collecting the data, but filtering and acting on it quickly.
Our team has worked with IBM i journals for many years, building expertise in extracting and reacting to these entries. In fact, our HA4i product already uses this technology to capture object changes and replicate them to other systems. Now, we’ve extended that same proven approach to AAG Security Monitoring, giving administrators real-time visibility into suspicious activity.
AAG Security Monitoring
Because the audit journal can store thousands of records over long periods, we designed AAG to work seamlessly with the Nagios XI polling process. This ensures:
- Efficient polling at set intervals
- Smart lookback windows to capture all relevant events without duplication
- Focused alerts on security-related activity that requires administrator attention
The first set of events we prioritized are those that indicate potential breaches or mis-configurations — the kinds of issues that, if ignored, could lead to catastrophic outcomes.
Key Journal Entries Monitored
AAG currently captures and notifies administrators of the following security-related entries:
- AF – Authority Failures
- AD – Audit Value Changes
- CA – Change of authority
- CP – Change Profile
- IM – IDS event
- PW – Password Failure
- VP – Network Password error
- X0 – Network authentication
This list provides a strong foundation, and we’ll continue to expand monitoring as new needs arise.
Intrusion Detection System (IDS) Integration
One powerful but often overlooked IBM i feature is the Intrusion Detection System (IDS), included free with every system. By enabling IDS and configuring policies in iNavigator, IBM i/OS will push IM journal entries into the audit journal as intrusions are detected.
To activate this, the QAUDLVL system value must be updated to include *ATNEVT. Once enabled, IDS provides visibility into attempted intrusions, port scans, and other suspicious network activity — all of which AAG can monitor and alert on.
Findings from Real-World Testing
During testing, we observed:
- Internet-facing IBM i systems are being actively targeted with port scans and probing scripts.
- Password failures and malformed data were logged against web interfaces — unsuccessful so far, but persistent.
- Authority failures from vendor-supplied software were recorded, even though the client had no idea this was happening.
In one case, a client was unaware of repeated authority failures until AAG flagged them. This visibility allowed them to take corrective action and strengthen their defenses.
Why This Matters
Audit journal monitoring transforms raw data into actionable intelligence. With AAG, administrators can:
- Detect attacks in progress before they succeed
- Identify mis-configured or overly permissive software
- Reduce manual monitoring overhead
- Gain confidence that hidden risks won’t slip through the cracks
Interested in seeing it in action?
Request a demo today and learn how AAG can help you stay ahead of insider risks, external attacks, and hidden vulnerabilities in your IBM i environment.